They DDoS'ed all manner of government and financial sites, including NASDAQ, ca.gov, and CIA.gov, which they took down for a matter of hours in April. They bypassed Google two step, hijacked 4chan's DNS and redirected it to their own Twitter feed, and repeatedly posted Mayor Michael Bloomberg's address and Social Security number online. After breaking into one billing agency using social-engineering techniques this past May, they proceeded to dump some 500,000 credit card numbers online. Cosmo was the social engineer for the crew, a specialist in talking his way past security barriers.

Cosmo, who is currently being held in a juvenile detention center, explains that many of these attacks he's taken part in aren't all that difficult—in many cases all he needed was a few pieces of information like the last four digits of a social security number and an email address:

Advertisement

He would gather little bits of information here and there, collecting dox data from various online services, like addresses and credit card numbers, until he had what he needed to launch an attack. Often, he did that by calling a company's tech support system and pretending to be a worker in another department. Sometimes he was able to pull that off by learning intimate details of a company's back-end systems.

It's a harrowing tale. And another lesson in the number of ways hackers want to exploit you. Head over to Wired for the entire story. [Wired]